Unapproved machines throw Errors on SMS_MP_CONTROL_MANAGER

ISSUE DESCRIPTION:

We had an issue where unapproved SCCM clients threw errors on SMS_MP_CONTROL_MANAGER as “MP has rejected a policy request from GUID:XXXXXXXXXXXXXXXXXXXX because it was not approved. The operating system reported error 2147942405: Access is denied.”

The environment running on System Center Configuration Manager 2007 R2 in mixed mode and client approval setting as following 

Possible Solutions: 

To make the client get approved by any means

Solutions suggested by colleagues: Client repairs, Client reinstall or manually approve clients

Initial Analysis:

1.        Checked MP-IIS logs for one of the machine which threw these errors on with IP address

2014-03-28 00:03:41 W3SVC 1 00.00.00.00 GET /SMS_MP/.sms_pol GHJREEVJ JHGE 80 - 1 00.00.00.00  SMS+CCM 200 0 0

2014-03-28 00:03:41 W3SVC 1 00.00.00.00 GET /SMS_MP/.sms_pol GHJREEVJ JHGE 80 - 1 00.00.00.00  SMS+CCM 200 0 0

2014-03-28 00:03:41 W3SVC 1 00.00.00.00 GET /SMS_MP/.sms_pol GHJREEVJ JHGE 80 - 1 00.00.00.00  SMS+CCM 200 0 0

2.       Checked  MP_registrationmanger.log   

This showed lots of instances “Certificate issued to 'SMS' has expired”  on MP_RegistrationManager though it wasn’t for the above machine GUID.

Certificate issued to 'SMS' has expired.        MP_RegistrationManager        28/03/2014 07:13:16        25900 (0x652C)

MP Reg: Registration request body is invalid.        MP_RegistrationManager        28/03/2014 07:13:16        25900 (0x652C)

MP Reg: Registration failed.        MP_RegistrationManager        28/03/2014 07:13:16        25900 (0x652C)

MP Reg: Message Body : <ClientRegistrationRequest><Data RequestType="Registration" TimeStamp="2014-03-28T07:23:16Z" SMSID="GUID: GHJREEVJ JHGE -108C1AEE374D"><AgentInformation AgentType="0" AgentVersion="4.00.6487.2000"/><Certificates>

Certificate issued to 'SMS' has expired.        MP_RegistrationManager        28/03/2014 07:23:16        40144 (0x9CD0)

MP Reg: Registration request body is invalid.        MP_RegistrationManager        28/03/2014 07:23:16        40144 (0x9CD0)

MP Reg: Registration failed.        MP_RegistrationManager        28/03/2014 07:23:16        40144 (0x9CD0)

3.       Checked Clientauth.log

This also showed messages like 'Message rejected due to signature verification failure.'

 CCMValidateAuthHeaders failed (0x80040213) to validate headers for client 'GUID: GHJREEVJ JHGE '.        ClientAuth        24/03/2014 06:27:42        16808 (0x41A8)

Message rejected due to signature verification failure.

ClientID: GUID: GHJREEVJ JHGE

Actions Taken:

1.        Connected to the client machine checked SMS certificate showed as not expired. But I suspected the issue with certificate.

2.       I tried deleting the certificate and re-registering the client which fixed the issue.

Hence there wasn’t need to approve the client manually. Monitored the component status SMS_MP_CONTROL_MANAGER for 2-3 hours and those messages disappeared.

References:

1.        This blog has wonderful script to work on such unapproved machines:

         CHRISTJAN'S IT MINUTES  http://itminutes.net/?p=240

2.       Technet Discussion Forum

http://social.technet.microsoft.com/Forums/systemcenter/en-US/23eddaf7-3f65-47f3-ab23-72e0be6eeb67/mp-has-rejected-a-policy-request-from?forum=configmgrgeneral